Headline
CVE-2023-1146: Stored XSS via blog author parameter on admin.php?p=config in flatpress
Cross-site Scripting (XSS) - Generic in GitHub repository flatpressblog/flatpress prior to 1.3.
Valid
Description
The blog author parameter is unsanitized on the page admin.php?p=config. In this way is possible to inject arbitrary javascript code
Proof of Concept
- Login as regular user
- Go to http://localhost/flatpress/admin.php?p=config
- Set as blog author "><script>alert(document.domain)</script>
- Refresh page
Impact
JavaScript code can be executed on the user end without any interaction.